ESXi Updates for Cloud Foundation for Service Providers fails during upload
book
Article ID: 330377
calendar_today
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
Symptoms:
The SSL Certificates were updated in the vSphere deployment.
Attempting to apply the updates to ESXi host fail, you see errors similar to: ... { "bundleId": "6230de15-46e7-4623-a0be-4a07dcf17e8b", "bundleElementId": "4bf37a6a-3150-463f-9cab-144b54aafb4f", "bundleElementOrder": 1, "resourceType": "ESX_HOST", "resourceId": "ff7862c1-dacd-11e7-815a-93f8572d9e8d", "upgradeId": "ee276890-9095-465c-a681-d2b4a6a9679e", "upgradeStatus": "COMPLETED_WITH_FAILURE", "upgradeError": { "errorType": "RECOVERABLE", "stage": "ESX_UPGRADE_VUM_STAGE_UPLOAD_FILES", "errorCode": "ESX_UPGRADE_VUM_FAILED_UPLOAD", "errorDescription": "", "metadata": "\nThe upload of ESXi update bits failed.\nUpgrade failed. Auto-recovery attempt failed as well. Manual intervention needed.\nCheck for errors in the lcm log files located on server 127.0.0.1 under /home/vrack/lcm/logs\nLCM will bring the domain back online once problems found in above steps are fixed manually. Please retry the upgrade once the upgrade is available again." } ...
On the node manager /home/vrack/lcm/logs/lcm.log, you see entries similar to:
2017-12-11 17:44:08.546 [ThreadPoolTaskExecutor-4] DEBUG [com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumUpdateStageRunnerImpl] upgradeId=ee276890-9095-465c-a681-d2b4a6a9679e,resourceType=ESX_HOST,resourceId=ff7862c1-dacd-11e7-815a-93f8572d9e8d,bundleElementId=4bf37a6a-3150-463f-9cab-144b54aafb4f Uploading /mnt/lcm-bundle-repo/6230de15-46e7-4623-a0be-4a07dcf17e8b/bundle-889/ESXi650-201710001.zip to VUM 2017-12-11 17:44:08.549 [ThreadPoolTaskExecutor-4] INFO [com.vmware.evo.sddc.lcm.client.vmware.vum.utils.FileUploadHelper] upgradeId=ee276890-9095-465c-a681-d2b4a6a9679e,resourceType=ESX_HOST,resourceId=ff7862c1-dacd-11e7-815a-93f8572d9e8d,bundleElementId=4bf37a6a-3150-463f-9cab-144b54aafb4f Uploading file to VUM: /mnt/lcm-bundle-repo/6230de15-46e7-4623-a0be-4a07dcf17e8b/bundle-889/ESXi650-201710001.zip 2017-12-11 17:44:08.549 [ThreadPoolTaskExecutor-4] DEBUG [com.vmware.evo.sddc.lcm.client.vmware.vum.utils.FileUploadHelper] upgradeId=ee276890-9095-465c-a681-d2b4a6a9679e,resourceType=ESX_HOST,resourceId=ff7862c1-dacd-11e7-815a-93f8572d9e8d,bundleElementId=4bf37a6a-3150-463f-9cab-144b54aafb4f Logging into VUM File upload server @ https://s603107ch3vc01.dccf.s603107.io:9087/vum-fileupload/login/ 2017-12-11 17:44:08.679 [ThreadPoolTaskExecutor-4] ERROR [com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumUpdateStageRunnerImpl] upgradeId=ee276890-9095-465c-a681-d2b4a6a9679e,resourceType=ESX_HOST,resourceId=ff7862c1-dacd-11e7-815a-93f8572d9e8d,bundleElementId=4bf37a6a-3150-463f-9cab-144b54aafb4f Failed to upload file(s) to VUM: {} org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://s603107ch3vc01.dccf.s603107.io:9087/vum-fileupload/login/": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666) at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613) at org.springframework.web.client.RestTemplate.postForEntity(RestTemplate.java:407) at com.vmware.evo.sddc.lcm.client.vmware.vum.utils.FileUploadHelper.login(FileUploadHelper.java:96) at com.vmware.evo.sddc.lcm.client.vmware.vum.utils.FileUploadHelper.upload(FileUploadHelper.java:134) at com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumUpdateStageRunnerImpl.doUpload(EsxVumUpdateStageRunnerImpl.java:627) at com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumUpdateStageRunner.doStage(EsxVumUpdateStageRunner.java:79) at com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumPrimitiveImpl.runUpgrade(EsxVumPrimitiveImpl.java:288) at com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumPrimitiveImpl.startOrResumeUpgrade(EsxVumPrimitiveImpl.java:170) at com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumPrimitiveImpl.postUpgrade(EsxVumPrimitiveImpl.java:139) at com.vmware.evo.sddc.lcm.orch.PrimitiveService.postUpgrade(PrimitiveService.java:192) at com.vmware.evo.sddc.lcm.orch.PrimitiveService$$FastClassBySpringCGLIB$$aff213fb.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.aop.interceptor.AsyncExecutionInterceptor$1.call(AsyncExecutionInterceptor.java:115) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:78) at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:652) ... 19 common frames omitted Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ... 33 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 39 common frames omitted
Cause
The SDDC manager is unable to transfer the appropriate updates to VUM so they can be applied, since it does not trust the certificate installed.
Resolution
To resolve this issue, revert the changes to the certificates or install trusted certificates.